Friday, 26 October 2012

Experts: Hackers will crack election systems

Sign up before Midnight to watch our video,“Biggest Ponzi Scheme in U.S. History to Crash,”
and get our daily e-letter Investment Contrarians.

We respect your privacy!
We will never rent/sell your e-mail address.
That’s a promise! And you can opt out at any time.

The result of an election will be changed by hackers, the only question remaining for an online security expert is which election will it be.

“I’m somewhat surprised it hasn’t happened yet,” said Stephen Cobb, a
security evangelist for ESET-North America, an IT security company, in a
recent article in Dark Reading.

With the U.S. presidential election turning into a dead heat, every
vote is going to count, but if some hackers had their way, your vote
won’t matter.

Hacktivist groups like Anonymous and LulzSec are growing more
sophisticated every day with their use of new collaborative hacking
techniques, such as “crowdsourcing.” Meanwhile, voter databases are
increasingly being put online on state and local computer systems that
are often insecure and administered by part-time IT personnel.

“If big, Internet-based companies like Yahoo, LinkedIn, or Sony can
fall to hackers, then, yeah, big government databases and local
authorities who actually administer the election process can be hacked,”
said Cobb.

While the voter databases carry mostly innocuous information, such as
name and address, a hacktivist group could create havoc in an election
if they were to make changes to that database.

A hacker could, for example, switch the addresses of people on a
voting roll, putting them in a different precinct than where they
actually live. An error like this could be done close to the election
and could very well not be noticed until the day of the election. By
then it would be too late. That person would be ineligible to vote that
day.

Combining a voting database with other database information, such as
those collected by supermarkets, coupon offers, and consumer polling
data, hackers could target an area for disenfranchisement by simply
looking at the demographic breakdown of a voting precinct.

In a close race, as this presidential contest is shaping up to be,
shifting the election turnout in a few precincts in a swing state (i.e.
Ohio) could change the outcome of an entire election. One only needs to
look at the 2000 election results in Florida to see how the voting
results in one or two precincts would have given the country President
Gore.

In the 2008 senatorial race in Minnesota, Al Franken won by 312
votes, the equivalent of one precinct. Tampering with just one machine
could have changed the outcome of the election.

Such a scenario is not fanciful. States like Washington and Maryland
putting voter registration data online make the threat all too real.

“Any system that is networked, especially to the Internet, is
inherently vulnerable to attacks on its availability, and the
confidentiality and integrity of its data,” says Steve Santorelli,
director of global outreach for the security research group Team Cymru.

According to Dr. Hugh Thompson, program committee chairman for RSA
Conference, one of the biggest dangers of voting-related cybercrime is
its undermining of voter confidence.

“Interestingly, the wrong person winning is not the worst thing that
can happen,” he says. “The real worst case is a hacker proving that the
vote was compromised and ultimately undermining the entire voting
process.”

Many political observers are already saying that this election could
be even more contentious than the 2000 contest without the added
complexity of electronic voter fraud. The new reality is that a
candidate may not have to just win an election, but to win it
convincingly enough to avoid a challenge in court.

If a hacktivist group were to prove that their activities changed the
outcome of the presidential election, it could throw the legitimacy of
the outcome of all levels of election results into question.

Already Democratic operatives are paving the way for a challenge to
the presidential election results. Their talking point is that their
polls show that Barack Obama has the votes to win the presidency and if
he loses, it has to be on account of voter fraud.

Should such a challenge occur, many municipalities and even states
don’t have mechanisms in place to handle a case of massive voting fraud.

Would there be a recount? Would the election be thrown out and done
again? Most governing entities are not ready for that kind of scenario.

“It would impact the stock market and erode confidence in the entire
system, which is a real motivator for organizations that want to attack
critical infrastructure,” says Thompson.

“For the first time, technology is allowing groups of disgruntled
people to become empowered. These groups are organized, collected, and
collaborative, with a means to get their message and point across
through scenario attack tools, like DDoS [Distributed Denial of Service
attacks], that were not possible in 2008,” he says.

While these vulnerabilities are well known, some security experts believe they are difficult to take advantage of.

Many of the systems do have multiple copies of the voting database
stored in several locations and can be compared for discrepancies. This
would keep the casual hacker, called a “script kiddie” from doing
damage, but it is not beyond the capability of a sophisticated
hacktivist group such as Anonymous or a nation-state.
A country such as Iran or China has the money and manpower to launch
such an attack. China is recruiting millions of its own people to form a
cyber army and Iran is conducting schools in “Cyber Jihad,” training a
generation of Muslim radicals on how to cripple a country with a
mouse-click.

It is not only the databases that are vulnerable, the voting machines
themselves have problems of their own. The problems with the voting
machines become more acute as more and more people vote electronically.
About 30 percent of all voters will use electronic machines.

It is important to note that voting machines aren’t much different
than regular consumer computers. Many of them run on the Windows
operating system and are susceptible to many of the same types of
vulnerabilities their cousins in the home or office are exposed to.
Known exploits or weaknesses such as weak passwords, poor password
protection, and buffer overflows can be used to compromise voting
machines just like home PCs can fall victim to an attack.

Researchers at Argonne National Laboratory outside of Chicago, Ill.,
have determined that those electronic voting machines can be easily
manipulated, casting doubt on their security and effectiveness.

The group used a attack method called the “man in the middle” where
data communication from one machine to another is interrupted by a
hacker and only the information he wants to go through is allowed
passage.
If the data stream (polling results) favors a candidate the hacker
wants, the data was allowed to go through. If not, the data could be
intercepted and sequestered.

The Argonne group used a small remote control device to control the data coming from the machine.
The vulnerability assessment team believes that even a talented
teenager could hijack a voting machine with hacking equipment that could
be built for $26.

“I think our view of the voting machines we’ve looked at is that
there really isn’t much security thought put into these devices,”
according to Roger Johnston, head of Argonne’s Vulnerability Assessment
Team.
One of the problems facing election officials is the fact that there
are very few ways to publicly verify the security claims offered by
e-voting system manufacturers.

Most electronic voting machine manufacturers practice “security by
obscurity,” using proprietary software for their machines. While it may
make a hacker work harder to crack the machine originally, it also makes
it very difficult to verify the system’s integrity.

In a video, researchers Roger Johnston and Jon Warner from Argonne
National Laboratory’s Vulnerability Assessment Team demonstrate three of
the techniques a hacker can take control of an electronic voting
machine by attaching a piece of “alien electronics” into the machine’s
circuit board.

The video, linked here,
shows how a hacker could input data into a machine no matter what the
voter enters. When a voter presses the “vote now” button, the screen
will momentarily go blank. During this time, the hacker could enter
their own information remotely into the machine.

Johnston explained: “When the voter hits the ‘vote now’ button to
register his votes, we can blank the screen and then go back and vote
differently and the voter will be unaware that this has happened.”

The researchers explain that the ease in which these machines can be
hacked highlights the fact that the e-voting machines not only need to
be designed to be more secure, the physical security around the machines
needs to be improved.

“Spend an extra four bucks and get a better lock,” Johnston said.
“You don’t have to have state-of-the-art security, but you can do some
things were it takes at least a little bit of skill to get in.”